There are definitely companies you can hire for this kind of thing, but I've never heard of the reputable ones doing it as a kind of party trick.
posted by peanut_mcgillicuty at 5:34 AM on July 3, 2018

Is this realistic? Can a hacker actually sit at a computer and three hours later say, "here's are the vulnerabilities in your network, and here's data I've found about your company?"

Far more likely to sit on the phone and social-engineer the weakness in the company which I suspect, given your finance exec audience, would lead to bad bad consequences for some random poorly-trained staff.
posted by pompomtom at 6:02 AM on July 3, 2018 [3 favorites]

The specialists you are looking for are penetration testers. They won't be able to do it as an event; they can't predict how long it will take.
posted by rachelpapers at 7:00 AM on July 3, 2018 [4 favorites]

What you want is a pentest ("penetration test"), and there are plenty of companies that do that work, from large to small, but nobody even vaguely reputable will take a job under the conditions you describe. An engagement where testers are being set up for failure ("you've got 3 hours, here's the system, go for it") can't be anything but bad news for the testers - nobody wants to do a job, present an all clear report with enormous caveats ("we had 3 hours only"), and then have the client go announcing "we got tested by Prestigious Infosec Firm and they found no problems".

So yeah, hiring people to attack your systems and tell you what they found is certainly a thing, but "an event" is not even close to the way it works. And I'm sorta surprised that a financial company doesn't have an existing relationship with a specialist security provider (either that, or is large enough to have an internal security group who know this stuff).
posted by russm at 7:09 AM on July 3, 2018 [1 favorite]

Oh, and to answer Question 1: No, they can not. Depending how bad the target's security is, they may be able to come back in 3 hours and say "here are the vulnerabilities I've found so far in your network". But if they've found anything significant in 3 hours, then there are absolutely 100% certainly many many far more significant issues just waiting to be discovered.
posted by russm at 7:13 AM on July 3, 2018 [4 favorites]

Echoing the above, it’s unlikely that you will find a reputable group to do this with that setup. A typical pen testing engagement is on the order of weeks or months - some time to brief the team on the setup and understand what they need, a week or more for the actual testing (depending on scope and intent), and a few weeks for them to write up their findings and brief your team on them. The findings will often be very technical and specific and not very intelligible to the sort of audience you’re talking about - you would also need a “translator” to present the findings in terms of business impact.

The cost varies widely depending on the quality of teams, but in any case you’re hiring professionals with a steep hourly rate.
posted by asphericalcow at 7:32 AM on July 3, 2018 [2 favorites]

"here's are the vulnerabilities in your network, and here's data I've found about your company?"

These are two different areas of the field, though they play into each other. Examining the network for vulnerabilities is penetration testing or red teaming and searching for information about the company is OSINT (open source intelligence).

a financial company

They should, by regulation, already be doing this. Unless they're intentionally hiring shoddy testers or they're not remediating what is found, important stuff shouldn't shake out in a few hours.

within a short period of time (e.g. a few hours)

Bad guys spend months to years attacking FIs and do things like write custom malicious print drivers to cover their tracks. Unless your clients' security is egregious, limiting a test to three hours is only going to give them a false sense of security.

Most skilled people don't want to be part of a party trick where they're being set up to fail. There's a few showy people that can do a compelling short OSINT demonstration on how to socially engineer execs within that period of time.

Try watching Jason Street walking through how he'd use it to attack your client.

What would I pay?

Good people bill $100-500/hour, sometimes more, plus travel.
posted by Candleman at 7:43 AM on July 3, 2018 [2 favorites]

A lot of this kind of testing is not actually just muscling through computer/security systems, it's stuff like seeing how vulnerable the company is to phishing and other social engineering techniques -- so it can't be done at an "event."

An "event" might even be counterproductive, because it probably won't uncover a lot of the company's actual vulnerabilities and may lull management into a false sense of security.
posted by rue72 at 7:45 AM on July 3, 2018 [3 favorites]

You can hire out Clear Skies for an ISA. ISA stands for "IT Security Assessment"

We hire them twice a year where I work. They are supremely great at what they do and well worth every penny.
posted by nikaspark at 8:22 AM on July 3, 2018 [1 favorite]

To be clear, you spend time up front negotiating the times they will come in on site and own you. Once they get in the exercise lasts on-site for a few hours, but there are many hours of work leading up to the "few hours onsite".

Clear Skies in a few hours of "operational attack" will absolutely find stuff and show you where your ass is.
posted by nikaspark at 8:26 AM on July 3, 2018

Hi,

Yes - you want penetration testers, look for word of mouth recommendations on who could do something like this for you.

( I do similar work in the UK, if you've got no contacts message me directly and I'm happy to make enquiries about USA equivalents or offices... but what sort of time frame are you looking at? )

But you don't want a three hour event - for many reasons, but the most significant are that you want a guaranteed result, and you don't want to waste your customer's time - so hire a pentest company to do this and generate a report, but get them to put on a presentation about what they found too, with the emphasis on communicating what they found.
posted by DancingYear at 12:37 PM on July 3, 2018

Have you spoken with your company's (and your client's) lawyers about this? What if the amount of information the hackers get from the client is "all of it?"
posted by rhizome at 1:08 PM on July 3, 2018 [1 favorite]

There are companies that do stuff like this this -- you can see this blog post about a similar event run by Hacker One, but

1) Three hours is really, really short, the event in question was nine hours.
2) It's expensive -- as you can see, this one-day event cost the company over $400,000 in payments to the hackers alone and that doesn't even cover any of the travel or other expenses of the event. Now, this was an unusually large event and $400,000 was a record setting amount, but still, you should expect to pay at least in the high five or low six figures for this kind of thing.
posted by phoenixy at 1:32 PM on July 3, 2018

Yep. pen testers, also known as Tiger Teams. advice: get your legal team involved early, and write up some high powered NDA contracts.
posted by evilmonk at 2:42 PM on July 3, 2018 [1 favorite]

From the above comments, you might consider getting a hacker or pentest expert to present as a public speaker instead. Not sure if you can afford Kevin Mitnick, but something similar might be a good way of getting around the time-frame issue that keeps cropping up.
posted by ninazer0 at 5:47 PM on July 3, 2018

This thread is closed to new comments.